Articles

No right to copies of documents for request to access one’s personal data under Dutch Data Protection Act

No right to copies of documents for request to access one’s personal data under Dutch Data Protection Act

No right to copies of documents for request to access one’s personal data under Dutch Data Protection Act

17.12.2014

According to clause 35 of the Dutch Data Protection Act (Wet bescherming persoonsgegevens; “DDPA”) a person (“data subject”) has the right to access the personal data that a party processes about him. This right is an elaboration of the principle of transparency and enables a person to check whether the processing complies with the DDPA. It is not necessary for a  data subject to explain why he wants access to his personal  data nor does he need to prove any particular interest therein.

In practice, an appeal based on the right to access often has little to do with privacy protection. Usually it is used in a dispute  to obtain certain documents from the other party. Since the  DDPA came into effect in 2001 several legal cases have been conducted on the right to access. The following categories highlight some of the common issues likely to arise such as: (i) which documents fall within the scope of the right to access, and in particular whether the data therein qualify as personal data (data that is directly or indirectly traceable to an individual); and (ii) questions with regard to the actual exercise of the right to access, particularly whether or not copies of documents containing personal data should be provided.

With regard to this last question, the Dutch courts differed sharply. The highest civil court, the Supreme Court, held that the right to access should be interpreted broadly: in principle, copies of documentation should be provided to anyone who requests access. On the other hand, the highest administrative court, the Administrative Jurisdiction Division of the Council of State, as a starting point, stated that the right to access must be interpreted narrowly and that copies do not always have to be provided. It suffices to provide an overview of the personal data processed.

To clarify which line should be followed in the Netherlands, both the Middelburg District Court and the Administrative Jurisdiction Division have independently asked preliminary questions to the Court of Justice of the EU in Luxembourg. This has been possible since the right to access in the DDPA is an implementation of the European Privacy Directive 95/46/EC.

Both cases dealt with refused residency permits. The applicants requested access to the minutes containing the grounds for refusal. The Minister for Immigration, Integration and Asylum refused to provide a copy of the minutes because a legal analysis would not qualify as personal data. A data subject requesting access receives an overview of his personal data, its origins and the bodies with which the information is shared. In short, the main questions submitted to the Court were as follows:

  1. Is the legal analysis recorded in the minutes to be regarded as personal data?
  2. Must a copy of the minutes be provided to fulfil the obligations under the right to access?

The Court consolidated both cases and ruled on 17 July.

According to the Court it is possible that a legal analysis recorded in the minutes may contain personal data, but the minutes as such do not qualify as personal data. The legal analysis is not to be regarded as information on the applicant because it relates to the interpretation and application of the law on the merits of the case. According to the Court, this is in line with the origin of the right to access, which stems from the notion that a person whose personal data are processed, must be able to verify that this is done in a correct and lawful manner. In a legal analysis, the data subject cannot verify this nor can the analysis be corrected by relying on the right of correction since this right exists to verify whether your personal data are processed correctly and not to review a legal analysis. The purpose of the Privacy Directive is to ensure the privacy of the data subject and is not a means of providing a right of access to administrative documents. It is remarkable that so far, both the Supreme Court and the Administrative Jurisdiction Division were of the opinion that if a person appealed using the right to access, the purpose behind the application was irrelevant. The Court qualifies this position slightly: the intention of the European legislator when drafting the Privacy Directive must be taken into account: the purpose of the data subject must match this intention.

With regard to dealing with a request to access, the Member States are free to determine in what manner access must be provided, as long as the information is provided in an understandable form. This means that the data subject must be able to inspect the information and must be able to check whether the information is processed in accordance with the Privacy Directive. Applying this approach means he can exercise his right to correct inaccurate information. The restrictive interpretation of the right to access, as advocated by the Administrative Jurisdiction Division, thus appears to be the accepted route. If a copy is provided, then all information which does not qualify as personal data can be removed.

In practice, it will still be a challenge to determine which information in a document should be regarded as personal data. It will therefore be interesting to see how future case law will deal with this issue.

The joint cases C-141/12 and C-372/12 can be found on http://www.curia.eu

Click here to see a printable version of this article

All rights reserved. Care has been taken to ensure that the content of this e-bulletin is as accurate as possible. However the accuracy and completeness of the information in this e-bulletin, largely based upon third party sources, cannot be guaranteed. The materials contained in this e-bulletin have been prepared and provided by Stibbe for information purposes only. They do not constitute legal or other professional advice and readers should not act upon the information contained in this e-bulletin without consulting legal counsel. Consultation of this e-bulletin will not create an attorney-client relationship between Stibbe and the reader. The e-bulletin may be used only for personal use and all other uses are prohibited.

Team

Related news

19.08.2019 EU law
Enable “likes” and bear joint-controllership

Articles - The Court of Justice of the European Union recently ruled, in Case C-40/14 Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV,  that a website operator that features “Like” social-media plugin from Facebook likely qualifies as joint-controller with Facebook for its website visitors’ personal data collection and transmission to Facebook.

Read more

23.07.2019 LU law
The Revised CSSF Cloud Circular

Articles - On 27 March 2019, the Luxembourg supervisory authority for the financial sector (the Commission de surveillance du secteur financier or CSSF) published the long-awaited CSSF Circular 19/714 amending the CSSF Circular 17/654 on IT outsourcing relying on a cloud computing infrastructure (the Revised Cloud Circular).

Read more

22.07.2019 NL law
HagaZiekenhuis beboet voor datalek

Short Reads - Enkele maanden geleden vierden we de eerste verjaardag van de Algemene Verordening Gegevensbescherming (AVG) met een uitgebreide beschouwing  over de belangrijkste  ontwikkelingen uit  het eerste jaar van de verordening. We concludeerden daarin onder meer dat de door sommigen voorspelde hoge bestuurlijke boetes voor overtredingen van de AVG tot dan toe  - zowel in Nederland als in de andere EU-lidstaten - grotendeels waren uitgebleven.

Read more

08.08.2019 BE law
Regulating online platforms: piece of the puzzle

Articles - The new Regulation no. 2019/1150 of the European Parliament and of the Council of 20 June 2019 on promoting fairness and transparency for business users of online intermediation services, applicable as of 12 July 2020, is another piece of the puzzle regulating online platforms, this time focussing on the supply side of the platforms.

Read more

15.07.2019 EU law
ICO to impose record-breaking fines for inadequate security measures and data breaches

Short Reads - Though the European data protection authorities have taken their time in enforcing the GDPR, two announcements by the ICO in the UK regarding proposed fines for British Airways and Marriott demonstrate that large fines are about to start landing regularly. Both of the substantial fines are to be handed out as a result of shortcomings in handling data breaches caused by cyber-attacks.

Read more

Our website uses functional cookies for the functioning of the website and analytic cookies that enable us to generate aggregated visitor data. We also use other cookies, such as third party tracking cookies - please indicate whether you agree to the use of these other cookies:

Privacy – en cookieverklaring